Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Which Cryptolocker is this?


  • This topic is locked This topic is locked
14 replies to this topic

#1 calgary11

calgary11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 22 April 2015 - 09:55 AM

One of our user in a remote office got this on their desktop. It's obviously Cryptolocker but what varience is this?
Has anyone seen this one? is it new?
We pulled the computer off the network and so far, I haven't found any network drive encryption
 
Thanks

Edit: Topic moved from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 22 April 2015 - 11:47 AM

calgary11 -

 

Have a look at this topic and see if it fits the description:

 

http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 22 April 2015 - 12:13 PM

Hi calgary11 :)

Can you show us the ransom note and the ransom webpage? Also, do you know if the extensions of the encrypted files have been changed?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 calgary11

calgary11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 22 April 2015 - 12:22 PM

Hi calgary11 :)

Can you show us the ransom note and the ransom webpage? Also, do you know if the extensions of the encrypted files have been changed?

 

I don't have that information yet. The PC is located in one of our remote office and as soon as I heard of the infection, I asked that it was remove from the network.

We are having the PC shipped back to our head office to take a look at it.



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 22 April 2015 - 12:41 PM

To me it looks like TeslaCrypt, but the ransom notes on the Desktop don't have the standard name which is usually "HELP_TO_DECRYPT_YOUR_FILES.txt", but it does have the background as a ransom note. We'll be able to confirm it once you receive the computer and let us know the exact file names for the ransom notes and if the extensions for the encrypted files were changed or not.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 calgary11

calgary11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 22 April 2015 - 01:12 PM

To me it looks like TeslaCrypt, but the ransom notes on the Desktop don't have the standard name which is usually "HELP_TO_DECRYPT_YOUR_FILES.txt", but it does have the background as a ransom note. We'll be able to confirm it once you receive the computer and let us know the exact file names for the ransom notes and if the extensions for the encrypted files were changed or not.

 

Thanks, I will post the information as soon as I have it.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 22 April 2015 - 01:31 PM

Any files that are encrypted with TeslaCrypt will have the .ecc extension added to the end of the filename.
- TeslaCrypt leaves files named:
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt
My Documents\RECOVERY_KEY.txt

Files associated with TeslaCrypt:
%AppData%\<random>.exe
%AppData%\key.dat
%AppData%\log.html
%Desktop%\CryptoLocker.lnk
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 calgary11

calgary11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 29 April 2015 - 09:51 AM

I think you are right quietman7,

I found files with the .ecc extension. 

 

The files with the Decrypt information are called "HELP_RESTORE_FILES.txt" and they are found in almost every directories but not every files are encrypted.

 

Also found:

%AppData%\key.dat
%AppData%\log.html - with the summary of encrypted files
%Desktop%\CryptoLocker.lnk 

 

 

 

I also found a file at the root of C:\ called "recovery_key.txt" with a bunch of letter and numbers in it. Not a very large file (1 kb).



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 29 April 2015 - 09:55 AM

So it's indeed TeslaCrypt. You can try the Cisco's Talos group decrypter for TeslaCrypt and see if it can decrypt the encrypted files. More information can be found in the thread below.

Cisco's Talos Group releases decryptor for TeslaCrypt

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 calgary11

calgary11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:51 AM

Posted 29 April 2015 - 09:59 AM

Thanks Aura,

We didn't loose any data since the only files that were encrypted were mostly internet explorer cookies and sample pictures. It was due in part to the quick reaction of our technician that advise the user to shut down the computer as soon as he found out.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 29 April 2015 - 10:04 AM

That's good to know. Maybe this will give a hint to your IT Management to start thinking about a protection against Cryptoware :) I wish it would for mine.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Newlycryptolockered

Newlycryptolockered

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern New York
  • Local time:10:51 AM

Posted 29 April 2015 - 11:43 AM

I'm newly registered here, and it's due to this! My laptop has been infected and encrypted. Trying to save what I can. The cryptolocker has been stopped, I believe, after installing new anti-malware from Malwarebytes (also Spyhunter for which I think I might find some grief according to some things I've read). I tried the tool created by Cisco's Talos group without any luck (currently searching for the key.dat file, might get lucky). What I think I have to do is restore the computer to its original state, refresh or recover. Sadly this will mean losing recently aquired photos that I did not back up (of my dad and my son who passed recently). If I cannot save anything, should I restart the computer to its original state (first purchased)? As for anti malware and such, do I purchase the full version of them before or after restart? All the "shadow volume files" I believe they're called were deleted during encryption. Any help or direction would be appreciated. I got this cryptolocker on April 27, 2015 at 6pm downloading coloring pages for my younger sons, a "NickJr" site, or so I believed it was.

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 AM

Posted 29 April 2015 - 11:51 AM

Hi Newlycryptolockered :)

If you've been infected with TeslaCrypt, you should go seek assistance in the TeslaCrypt Support thread. This way, all the posts will be centralized in one place and allow the helpers and developpers here to give better assistance for members that needs it.

New TeslaCrypt Ransomware sets its scope on video gamers

Good luck :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Newlycryptolockered

Newlycryptolockered

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern New York
  • Local time:10:51 AM

Posted 29 April 2015 - 12:03 PM

I will, thank you.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 29 April 2015 - 01:06 PM

Now that the infection has been identified...this topic is locked to avoid confusion.

If you have further questions, post them in this topic: New TeslaCrypt Ransomware sets its scope on video gamers.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users